Feb. 20, 2013
|

Adam Vincent, is CEO of CyberSquared. / H. Darr Beiser, USA TODAY

by Byron Acohido, USA TODAY

by Byron Acohido, USA TODAY

SEATTLE -- The Chinese military hacking group accused of stealing huge amounts of data from U.S. organizations is one of some 20 active cyberspying groups engaging in comparable data theft and espionage, according to U.S. security companies.

The elite cyberspying rings conduct attacks referred to as Advanced Persistent Threats. They quietly penetrate corporate and government networks, often luring employees using tainted e-mail or social media ruses. Then they stealthily gain deeper access to steal data over months and years.

The community of Western tech security companies and government security agencies have been tracking these APT groups for at least the past decade.

Cyber-forensics firm Mandiant shook things up Monday by disclosing that an APT group operating in a 12-story office tower in Shanghai is responsible for breaching 115 companies and organizations in the U.S. since at least 2006.

Mandiant refers to the gang as Unit 61398 of China's People's Liberation Army.

Adam Vincent, CEO of cyber-intelligence start-up Cyber Squared, says Unit 61398 appears to be the cyber ring known as the "Comment Group" that has been extensively tracked by the security community for some time.

"This is just one of 20 known APT groups that range in size and maturity," says Vincent. "Some have been around longer than others, and they range in size and maturity. Comment Group is by far the most well understood in the community, but there are lots of other bad ones."

Mandiant's detailed disclosure was unusual because security vendors usually jealously guard specifics about what they find, to avoid embarrassing their corporate clients.

But that silence has played right into the hands of data thieves and cyberspies looking to steal intellectual property and attain strategic intelligence for military advantage.

The problem has grown so large that Congress spent the past two years attempting to pass cybersecurity legislation aimed primarily at fostering intelligence sharing to reduce the risk of cyberattacks that could cripple the U.S. infrastructure. Last week, a frustrated President Obama issued an executive order for the National Institute of Standards and Technology to establish a framework for such sharing.

Stealthier attacks are being waged by other nations besides China to penetrate telecommunications, banking and power systems, and to rob national wealth, says Alan Paller, research director of security think tank The SANS Institute.

"The number of bad actors is spread among nations, terrorists, anarchists and criminals," Paller says. "Their identity is not as important as what we do to defend our systems â?? because they usually exploit the same weaknesses."

Paller says all companies and agencies that might be targeted for attack should study Raising the Bar for Cybersecurity, a white paper from the Center for Strategic International Studies issued in support of President Obama's executive order.

In this environment, Cyber Squared, like Mandiant, has been releasing details about the patterns and behaviors of active APT groups. Vincent says at least six separate Chinese based cyberspying operations are likely responsible for targeting U.S., U.K., Australian, Canadian, Korean and Philippine media organizations, newspapers, wire outlets and their affiliates.

As APT groups go, the Comment Group was comparatively noisy, meaning they generally did not cover their tracks very meticulously, Vincent says.

"This is sort of like telling a crime syndicate about all of your evidence before you arrest them," Vincent says. "Obviously, this will help convict them right now if that was possible. More likely, they will begin covering their tracks and change everything they do going forward. "

The more advanced APT groups are using cutting-edge techniques that security companies are just learning about, says John Prisco, CEO of security start-up Triumfant.

"The Chinese are just getting started," says Prisco. "We have all become familiar with the term Advanced Persistent Threat. Get ready to know more about what we're calling the Advanced Volatile Threat. This new type of attack is the equivalent of a drive by shooting."